I got an IDS alert from my WCS system. As I tried to troubleshoot the alert I had to recognize, to not beeing really aware of a work order on security reactions.
Maybe some engineers in this community do have better how to's / suggestions or useful tools on reaction for security alerts.
IDS 'Deauth flood' Signature attack detected on AP '<ap name>' protocol '802.11b/g' on Controller '<controller-ip>'. The Signature description is 'Deauthentication flood', with precedence '9'. The channel number is '11', the number of detections is '500', and one of potentially several attackers' mac addresses is '<attacker-mac>'.
1.) Got alarm details and saved them via screenshot
2.) Watched for alarm history to get informed how often the attack was logged. (first attack was last week at same day in week)
3.) tried to localize the attacker but only on access-point got the alert at about -93 dbm rssi. Location is not very accurate with only on access-point
4.) because there is no one wireless client in that location / access-point I decided to set the attacked access-poin to monitor mode, to maybe get more or further details on attacks.
5.) further reaktion am thinking about are
- set more access-points to monitor mode, maybe I will get a more accurate attacker location
- infrastrukture security personell could watch the location for foreign people with notebooks or other wireless equipment. But I think this is not very helpful because of very small wireless tools or maybe some hidden installed equipment or maybe an attacking employee.
- watching for measurement tools to locate attackers very accurate.
- other access-pont modes e.g. sniffer or rogue-detector
- look for some containment features on WCS to the attacking client
I have WCS and WLC with AIR-LAP1142 but no MSE with wIPS or location.